Topic: DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?) (Read 91144 times)

And if you allowed only one transaction per block?

edit: The partial ordering can only be within one single block, and the total ordering is of all blocks, so if you have only one transaction per block, doesn't it follow that you have a total ordering of transactions?

Again after consulting with @anonymint in chat...

Ditto.

When you hurl ad hominems it is "mild" in your opinion, but when @anonymint responds in kind to teach you how disruptive it is for you to hurl them in the first place, he in your opinion is somehow overreacting.
You have very strange sense of fairness.
I bet you've observed in your life that you do not get along very well with others (other than perhaps your grandma and her perfect omniscient objectivity of ambiguous asynchronous partial orders).

You're moving the goalposts because you were defeated on the prior points. Now you're constructing strawmen.
Nobody cares what you think, they care what you formally prove as for the safety and security of your proposed Decrits consensus system.

When you have formal proofs in your whitepaper, then we can talk. Until then, you're becoming a waste of time again same as 2013.

You're writing a load of incomprehensible handwaving nonsense to confuse n00bs.
There's 2f + 1 and 3f + 1 BFT. Learn the attributes that apply to each.
Your designs must fit into one of those mathematical models. Period.

Not necessarily.
Refer to Part 2 of @anonymint's recent blog. Byteball and Hashgraph are 100% asynchronous.
You simply do not have a very coherent conceptualization of BFT.

This is the last reply you will receive to your nonsense. You go ahead building strawmen and such in your replies.

If ever you have a formalisation of your design, then we can do peer review of it.

---

Update:@Ix and @anonymint shared some amicable discussion in private messaging.

Thx for that good comprehensive compilation, hope many will honor that work


https://steemit.com/cryptocurrency/@anonymint/scaling-decentralization-security-of-distributed-ledgers-part-2


My comments to that with respect to the centralization attractor that is just part of all our crypto discussions, esp in this legend thread would be, how could you quantify that in terms of how easy it is to do a singel or better permanent attacks?
And second, what externalities are there, that will do a good job in terms of force the systems back to decentralize again?

The only answer to those questions I think I could give atm are

Since I cannot quantify it by absolute numbers, but estimate that you can bring down most coins with simple bot nets, only ASIC PoW is the best long term standard today, and proven the longest to work as well.

Second, due to the many external risks PoW has, any participant will have a chance over long time (decades) to get into the mining game and disrupt cartells. And if tha space for a coin is world wide for many decades than the centralization <> decentralization waves are acceptable and our sociaty and externalities can deal with that.

So the goal is to achieve that global adoption in a quick way, to give new parties chances to mine and keep or even increase decentrality in a suffincient and sustainable way.

I agree that there are a lot of moving parts. I disagree that attacking the network is the most efficient way to profit. It is unlikely that you can prove your argument one way or another, and vast generalizations are not convincing.


Why do you react so strongly to such mild characterizations? Take a chill pill, for once.


Bitcoin BFT requires the safety of the consensus result, regardless of adversary. The Decrits design (and presumably others that you've reviewed) eschews this requirement in favor of a non-automatic consensus in the face of adversaries. Since lack of safety can be proven (by a lack of validators' signatures), a node can't be convinced by an adversary that the network is correct and can therefore refrain from making decisions. With BFT, the network can never be proven safe or unsafe.


BFT assumes network synchrony. Every usable consensus system has to, to some degree. The FLP theorem can not apply. This is inviolable.

I discussed this with @anonymint in private chat and here's basically what was conveyed to me (he is in the Philippines and myself in Europe and I'm not using a VPN):


Incorrect.
Firstly, there's no zero sum game in the wealth effect of share markets (float versus marketcap, liquidity versus confidence, externalities of shorting, etc).
There’s tremendous elasticity due to speculative bubbles overshoot and then corrective crashes.
Your misunderstanding belies a correct understanding of markets and game theory as well.

There's far too many moving parts and degrees-of-freedom for there to be some sort tightly constrained mathematical relationship between minute changes in the economic weight and the attacker's loss or profit.
The Medium post that was cited explains some of the scenarios where your presumption fails.
And there are an unbounded many such scenarios.
The entropy even just on earth is not so tightly constrained as you seem to presume.


Did you see @anonymint's face while participating in discussions with him in 2013? What shade of blue was it? Purplish, lavenderish, cerulean, or cobalt?

There you go again with your curmudgeon demeanor injecting ad hominem personalization of what should be a factual exchange of ideas.

@anonymint can play that ad homimen game too if you prefer to continue slandering him, "that @Ix would even contemplate such an INANE and NAIVE concept shows that he's the one who everyone should be skeptical about. Sorry but frankly."

Please kindly refer to the discussion and links to the “math of liveness and safety” in @anonymint's latest blog and past writings.

I'm sorry but you'll need to understand the rigor of Byzantine fault tolerance and stop handwaving with ad hoc descriptions.
Point to the mathematical proof of your system, otherwise you're just trolling.

You're ostensibly pissed off at @anonymint for ad hoc discussions in 2013 about your Decrits consensus system, where you had not even published a whitepaper and he kept asking you for a more formal description of your system.


Mild punishment is still a game theory error.
And the point is since you can't punish non-responding validators, then you can't have both 100% finality and assured liveness.
And without 100% finality then there's no absolute objectivity by which all of the live users who were online at the time of the attack can accurately distinguish which fork they should choose.
Thus for this reason and the numerous degrees-of-freedom in the ways an attacker can profit, there's no actual disincentive for the attacker as you presume.

Sorry. As I said, the reality can be a bit depressing.
But blaming the reality on @anonymint is not sane. As if he has control over the reality.

Because you apparently don't understand the formalism of Byzantine fault tolerant systems.


Your incorrect presumption has been refuted above.

Multiple partial orders are ambiguous due to network asynchrony.
That is fundamental INVIOLABLE finding of the FLP theorem from the 1980s That's the entire reason a total ordering is required in these consensus system.


You seem to not comprehend the formalism of Byzantine fault tolerance and the ambiguity thereof when relying on network synchrony.



You're conflating connectivity with synchrony. Too different concepts.
It's like conflating gas stations and gasoline. Exemplifies that you have no fscking clue of the subject matter.

Btw, @anonymint explained that mesh networks are fantasy that will never happen due to economics and liveness. I would have to dig up the link to that Steemit post and also I think he posted about it on the Corbett Report recently.

The attacker loses if 1% of the economic weight of the network chooses not to use their fork, as I already stated. If both forks continue to exist, the value of the network is split and the attacker loses some amount of value. It is distributed back to the users of the network who have increased power at the attacker's expense.


I've seen you mention 33% stalling, but I don't know what the rationale is. Could you expand on it? At least under Decrits, each validator has control of the world for his window of time. The evil validators could ignore an honest validator, but they would have to be all of the validators immediately after that validator to do so and win undisputed. If there is any honest node, he accepts it and the honest chain continues, and it distills back to grandma again - which you erroneously presume requires 50% of something, but it only requires any amount of economic weight to be behind a fork.


This was an error in my original design that I have since rectified. Non-responding validators are only mildly punished.


Still not clear on how.


Just because you wrote something doesn't make it true. You dismissed my point that the attackers lose, at least on network, no matter what, and presumed this fell back to some 50%+ majority when no such majority is required. The attackers *always lose*.


Finality can be achieved without using the entire stake, or even a majority of it. There will just be multiple versions of finality, or voluntary hard forks. This gives the live observers the choice to choose which fork most closely resembles their own view of the network.


In the case that the attacker can somehow manipulate public opinion in the face of grandma's trust. You can't fool all of the people all of the time, ergo the attacker is guaranteed to lose something. Network connectivity can be a thornier issue, but we will eventually have uninterruptable internet satellites and mesh networks everywhere. Unless Russia uses a space nuke or something. But there are always scenarios that you can degrade to the end of civilization to prove your point. All currencies fail there.


Yeah but Vitalik released his landmark blog on weak subjectivity mere weeks after the Decrits whitepaper. Surely that means a melding of minds to a common conclusion.


And even then arguing until you were blue in the face that every other design was massively flawed and that your way was the only way. Forgive my eternal skepticism of you.

This discussion really distills down to this point.
If 50+% of the stake has someone they trust with a live version of events and all of them have the same version of events,
then they can all choose the correct fork and the remaining minority of the stake can see the majority has decided on a fork.
Then the attacker loses.

But you would still have an additional problem in that to detect double-spending with 100% objectivity requires 100% finality of epochs.
IOW, all of you in the 50+% stake will not be able to agree with 100% certainty on a double-spend without 100% finality.
Yet 100% finality of epochs (as opposed to probabilistic finality of transaction confirmation) requires permissioned set of validators of which only 1/3 of them can stall the entire chain
and the only way to unstuck the (transaction confirmation of the) chain is to hardfork.
The attacker then only needs control of 1/3 of the validators in order to short the token and profit.
The chain's protocol can't confiscate the security deposits of the non-responding validators because they may be legitimately under DDoS attack or suffering from some general failure such as Amazon or Azure outage.

Also permissioned validators is a political clusterfsck as described in the EOS section of @anonymint's most recent blog:

https://steemit.com/cryptocurrency/@anonymint/scaling-decentralization-security-of-distributed-ledgers

A consensus system with nothing-at-stake permissionless validators can fake a network outage by Sybil attacking the validator set.
Your Decrits design apparently forces new validators to queue up and be approved by many epochs before joining or leaving, but this is in essence a permissioned system,
because then 1/3 of the validators can stop the forward movement of the chain and those queued validators never become approved.
If you use an elapsed time instead of epochs, then that opens a different sort of security hole.

Everything you wrote as quoted above is the opposite of the possible outcome that @anonymint wrote about:

https://medium.com/@shelby_78386/the-caveat-though-is-that-when-the-attacker-can-fork-the-vested-interests-of-some-of-the-users-9340dd037a61

But perhaps the reason you didn't think so, is because you may not have realized the point above about 100% finality is required for 100% objectivity of live observers?

The attacker can profit even in the presence of security deposits.
That was one of the main points of the Medium post.
Apparently there is a great cognitive dissonance in interpretations of the game theory and economics between your thought process and that which is written at the linked Medium blog.
Did the above point about permissioned validators and 100% finality bring your understandings closer together?

Analogous to network synchrony, censorship can't be objectively proven.
And especially when the censorship is against a few billionaires or such that nobody believes or gives a fsck about.
People have a crab bucket mentality. They love to see some billionaires lose everything.
You seem to not have a very realistic appraisal of human nature and the madness of crowds, or perhaps you just haven't looked it this way before??

Disagree. They gain back what ever they "invested" by shorting one and pumping the other.
Besides they probably bought the hell out of the token when it crashed to 50 satoshis in the crypto winter,
then they pump it up, short, and crash the fscker with an attack.
Or they issued the ICO and bought the ICO from themselves taking 80% of the money at no cost.
Many different sorts of manipulations and schemes.

It's depressing. I want to caution you before you go thinking you have some magic cure.
Many people have thought deeply about these issues for the past 5 years.
You're not the only one.
Although you were probably thinking about non-proof-of-work consensus systems before most of us.
@anonymint was on proof-of-diskspace and then memory-hard proof-of-work ideas for most of 2013 whilst you were already designing Decrits.

Btw @Ix, if you're an excellent programmer and you are interested to collaborate, there's BTC funding and vestment available. But maybe you want to do your own.

I am presuming that you have to ascribe game theory. Regardless of whether or not objectivity exists, there will be a loss to those attacking the network (and to those actively defending if the attacking network persists). Unless 100% of all economic value goes to their fork, they suffer a loss. Even if they convince 90% of the economic value to move, they lose the 10% which remains on the other fork where their stake is destroyed. Only the non-staking users of the network do not lose any value.


See above.


If that is the case, the objectively better fork is obvious.


But to do so they have to invest in the network itself, unlike with PoW. They must hedge that not only can they destroy your network, but that they can get you to believe it is destroyed.


But I trust my grandmother more than I trust CNN, or Coinbase, or the government. She runs a full node. Plus, the decentralization of currency should at its core help decentralize society as a whole and reduce the power of governments and megacorps. Maybe. But if it doesn't do that, it's probably not the fault of crypto but people. However, it'll help once cryptos start appearing that decentralize the creation and distribution of new money so that there is far less competition for stupid one-feature wonders promising $$$billions$$$ as you mentioned elsewhere.

@anonymint thinks the distinction is that in the case of ambiguous nothing-at-stake forks from the perspective of those who were offline,
  they're more or less ambivalent to the outcome which doesn't affect them.
And without a strong compass, they can then be swayed by the powers-that-be to believe in the mainstream opinion.
Mainstream opinion is owned by those who own the corporate behemoths.
So the point is that relying on community opinion is centralization.
If instead there was objectivity, then the users who were offline at the time of the forking wouldn't need to trust CNBC, CNN, FOXNEWS, BLOCKINFO.COM, COINBASE, ZEROHEDGE, ALEXJONES, and all those other gatekeepers.
We want to destroy their power if we can come up with a design that can do it.
Tangentially (and somewhat offtopic), see how Thatcher was the moma to those men, who reverted to children without a compass after she was gone:

https://steemit.com/politics/@anonymint/re-anonymint-unfairness-of-tax-cuts-for-the-rich-explained-in-beer-20180602t081228178z

@anonymint's idea for ending the "new feature" forks is to solve most of the problems that drive a hype market for forks such as scaling and latency of confirmations.
The speculation in the market is significantly driven by idea that the market for cryptocurrency is still nascent and largely untapped.
There will always be such speculative snake oil in the future, but who cares when their market caps top out at $1 billion on the pump and dump, when the main cryptocurrencies will have market caps in the $100s of trillions.

His idea for solving the nothing-at-stake problem revolves around formation of objectivity with statistical evidence.
We must remember that finality is always probabilistic any way.


Offline users do not know which one is the main chain.
Ostensibly you presume that COINBASE et al are going to agree with what the users who were live thought they observed.
It can’t be proven that one live group’s network synchrony was superior to another group's.
The point is you are presuming objectivity where objectivity doesn't exist.



He thinks you have this transposed from the actual reality that is likely to be the case.
Not only do you presume that the powers-that-be who want to do this attack are nameless,
but you presume that the live users who speak out against the powers-that-be will not be nameless.

Why wouldn't the powers-that-be own COINBASE et al? They own everything.
These gatekeepers are always for sale to the highest bidder who can steal the most from society.
That is what corporations do. They maximize profit by any means possible.
They have a fiduciary duty to maximize profit. They do not have morals.
I know you do not believe in fairytales so why would you believe the world is some fantasy fairytale where corporations and gatekeepers do the moral thing so they can lower their profits?

And their motive may not be double-spending but rather censoring transactions (although they can do this with a majority of the stake in most designs any way) and even long-range attacks where they steal coinbase funds and downstream lineage UTXO and burn UTXO they can't steal in order to accomplish attacks on competitors and what not (including shorting the token and then going long again after their attacks or what not especially if they're trying to destroy that token):

https://bitcointalksearch.org/topic/m.39124755

https://medium.com/@shelby_78386/btw-i-noticed-in-your-responses-to-others-at-the-end-of-your-blog-youre-emphasizing-393f4ca0deff

Also for a competing token to their Bitcoin, maybe they just want to destroy your token and short it into the ground.

The powers-that-be get their power largely through manipulation.

P.S.
Ty for the debate on the merits.
You still have a slight tone of presumptious arrogance as if you assume the other person doesn't have a valid rebuttal for you,
but it's possible to interpret your tone here as just skepticism.
Apologies that @anonymint didn't understand in 2013 when you used to post from username @Etlase2, that groupwise cryptographically secure entropy is possible in a proof-of-stake system.
Ourobos and Algorand exemplified it is plausible within some security thresholds.

"The “attacker” doesn’t need to cause harm to the majority (only to whom ever is the victim of the double-spending), so why wouldn’t the majority want to recognize their ownership of their free airdrop?"

How is this any different from what anyone can do without attacking the network? Create a copy of the software with some divergent property to create two chains. If the diverging property is seen as valid by some percentage of users, the divergent chain has some value. Do you have some solution to this as well?

There is little to no risk to creating a fork out of thin air such as in the case of Bitcoin Cash and whatnot, but there is a huge risk to creating an on-network fork - namely nobody cares about your fork and the value of your money from the main chain is destroyed. From there you must devolve your argument into what amounts to mind control. Do you really believe some nameless, faceless identity has a chance to sway users over the people they interact with daily on which chain is honest? And all this over trying to get their side of a double spend to complete?

@anonymint says:
Checkpoint is useless against a majority of the world's hashrate. The attacker can even divide-and-conquer the vested interests of the majority of the users:

https://medium.com/@shelby_78386/the-caveat-though-is-that-when-the-attacker-can-fork-the-vested-interests-of-some-of-the-users-9340dd037a61

https://bitcointalk.org/index.php?topic=4266048.40#msg39124755



One possible solution which @anonymint first wrote about in 2014 (and @patmast3r mentioned in 2016 which I dismissed at that ime only the context of the Iota-style DAG) is that double-spending burns all the UTXO involved. All lineage balances are reduced by the destroyed value. And if the payer associates a KYC identity, then all (or the amount designated by the payer) UTXO of that identity are destroyed or used to pay all of the double-spends instead of burning them if the designated amount is sufficient to pay all. Or stated in another way independent of KYC, the payer may designate some other UTXO which is time locked guaranteeing he will not issue a double-spend. Note even if the attacker had forked the chain before commitment to the time lock and orphans the commitment, then the attacker doesn't succeed in double-spending because the network remembers the signed commitment regardless of it being on an orphaned fork and inserts into any subsequent block unless the attacker can sustain censorship of the winning fork indefinitely. Yet this penalty system has to have some expiration into finality, otherwise an attacker can maliciously burn lineage far in the past causing current descendent UTXO to be burned. The payee (and all payees down the lineage chain) then judge the risk of the transaction based on the amount of UTXO still guaranteeing against double-spend combined with the depth of the confirmations. It's important to understand that all consensus is probabilitistic because of the physics of our universe.

However this proposed solution may not work in general cases of smart contracts although it can adapted to smart contracts in smart contracts where each user action is provably either a descendent or replacement of a prior action, so that issuing replacements can be penalized. And each such linearlized action chain has to be independent of the other ones, so that removing actions in one chain doesn't impact other action changes. An example of an independent linearized action chain, is a blog author making sequential edits of his blog. That would be independent of the edits of the other blogs of that author and other authors. Note that these attributes are actually necessary in any smart contract system which employs blocks, because otherwise the block producer could influence the outcome of the interactions by controlling the ordering of contract transactions within each block. The smart contract thus can't assume these interactions are randomized nor deterministic from the perspective of the signers of the transactions. This is probably yet another security hole in many extant smart contracts.

Note this idea is employed in SPECTRE and @anonymint pointed out that it would be incompatible with Replace-by-fee in Bitcoin. Yet his most significant criticism was specific to the fact that SPECTRE doesn't form consensus around a single total order, so that criticism wouldn't apply to the idea above because the total order will designate that the double-spends are burned and can't be further transacted as UTXO. @anonymint's understanding of SPECTRE is that the status of UTXO being double-spent is interpreted by the payer and payees, not by any total order of the ledger and ledger validators.

Note this sort of design is also being discussed in the ECDSA signatures: why not force the reuse for r for spends from the same address thread.

100% finality of confirmations requires a permissioned set of validators which has significant downsides to liveness.
See also the explanation below in response to @Ix.

Indeed that ends up being exactly the case.
See also the further discussion of Byzcoin in the OmniLedger discussion in @anonymint's latest blog.
So both of you were prescient.


Fixed that misspelling for you. Sorry I couldn't resist a little humor given the context of the discussion that was quoted from. In honor of the favorite word of the MSM in the Trump era.

We were doing great before asics were made. We could do alot by taking a gander at algos that enable a greater amount of general society to take an interest in mining on regular gadgets, rather than requiring devoted hardware that makes mining more a business attempt than an easygoing interest now.

Monsterer could you quote my post from there over here for us? I don't have time to go digging for your thread.

Start with a nonsense, non-holistic equation and you get only a nonsense result. And boastful, disrespect n00bs who memorized something from a white paper and think they are qualified to disrespect me.

I can only see Bitcoin flexible enough in its BCH instance yet - PoW is there for good as well, open competition and external risks will ensure 'enough' decentralization for the very long run. No oligarchs that can stay on top forever as in PoS.

Fees are cheap and poor countries can have a nearly perfect scarce good for trading / economic / SoV (money) use - also extrapolated into long terms when
mass adoption brings down volatility.

Scaling of international applications will need to get now into big economic players (big miners / full mining node runners) i.o. to world wide adapt it  - or stay nichy / die.

Restricted smart contracts and on-chain ICOs will do the rest from 15th May on - so  ETH and others are done with that.

Guess that's it for now.

I am not sure if the ideal solution exists yet but have faith it will come. When it does hopefully bitcoin will be flexible enough to adapt it.

In the future, government regulators will still try to centralize the blockchain. And just imagine that all States will disintegrate, then there will be complete decentralization.

Come on, smth can be or not be delusional only dependent on its intrinsic tech and people backing it up. In case of BTC we've seen it being operable and with enough supporters of all ranks. In case of other projects, say Ethereum or Lisk, there's a whole army of top tier devs and people from business to solve problems arising in front of it.
If your point is that BTC can be partially decentralized via mining pulls and stuff, I'll allow myself to direct your attention to V. Buterin's words on what can be named decentralized ("The Meaning of Decentralization" on Medium). People understand it quite differently, it turns out.

Pow will always be cheaper than pos trust me. Now for optimal CAP theorem attributes which cater to enterprise apps you may want to sacrifice some security for utility by doing a hybrid pow/pos with a layer 2. I will leave that as an exercise for you.

Which is why you are going to lose the most money by ignoring PoW flawed design.